Hello guys, I am trying to bring up an easy OpenVPN Server configuration on a Lede i686 ESXi VM.
My setup is the following:
BT HomeHub 5a (pppoe-wan) > lan 172.12.0.0/24 > ESXi Lede VM 172.12.0.118.
Basically I want to deploy the OpenVPN Server on the Lede VM instead of the gw.
On the BT HomeHub 5a(gw) I added the following configuration to open and forward 1194 inbound traffic:
/etc/config/firewall
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'tcpudp'
option dest_port '1194'
config redirect
option name 'vpn'
option target 'ACCEPT'
option src_dport '1194'
option proto 'tcpudp'
option dest_ip '172.12.0.118'
option src 'wan'
option dest 'lan'
While on the Lede VM I have done the following:
/etc/config/network
config interface 'lan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'int_switch'
option type 'bridge'
option proto 'static'
option ifname 'eth1 tun0'
option ipaddr '10.0.1.1'
option netmask '255.255.255.0'
option delegate '0'
config interface 'vpn'
option ifname 'tun0'
option proto 'none'
option auto '1'
/etc/firewall.user
iptables -t nat -A PREROUTING -p udp -i int_switch --dport 1194 -j ACCEPT;
iptables -A INPUT -p udp -i int_switch --dport 1194 -j ACCEPT;
iptables -I INPUT -i tun+ -j ACCEPT;
iptables -I FORWARD -i tun+ -j ACCEPT;
iptables -I OUTPUT -o tun+ -j ACCEPT;
iptables -I FORWARD -o tun+ -j ACCEPT;
# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o int_switch -s 10.8.0.0/24 -d 10.0.1.0/24 -m conntrack --ctstate NEW -j ACCEPT;
# Allow traffic initiated from VPN to access "the world"
iptables -I FORWARD -i tun0 -o int_switch -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT;
# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT;
# Masquerade traffic from VPN to "the world" -- done in the nat table
iptables -t nat -I POSTROUTING -o int_switch -s 10.8.0.0/24 -j MASQUERADE;
# Masquerade traffic from LAN to "the world"
iptables -t nat -I POSTROUTING -o int_switch -s 10.0.1.0/24 -j MASQUERADE;
/etc/config/openvpn
config 'openvpn' 'VPNserver'
option 'enabled' '1'
# Protocol
option 'tls_server' '1'
option 'port' '1194'
option 'proto' 'udp'
option 'topology' 'subnet'
option 'dev' 'tun'
option 'dev' 'tun0'
# Auth & Certs
option 'ca' '/etc/openvpn/keys/ca.crt'
option 'cert' '/etc/openvpn/keys/server.crt'
option 'key' '/etc/openvpn/keys/server.key'
option 'dh' '/etc/easy-rsa/keys/dh2048.pem'
# Routes
option 'server' '10.8.0.0 255.255.255.0'
option 'ifconfig' '10.8.0.1 255.255.255.0'
# Clients routes & configs
list 'push' 'redirect-gateway def1' # this redirects all traffic over vpn
list 'push' 'route 10.0.1.0 255.255.255.0'
option 'client_to_client' '1'
option 'comp_lzo' 'no'
option 'keepalive' '10 120'
option 'status' '/tmp/openvpn.status'
option 'persist_key' '1'
option 'persist_tun' '1'
option 'verb' '3'
option 'mute' '20'
# Connection Speed
option 'sndbuf' '393216'
option 'rcvbuf' '393216'
option 'fragment' '0'
option 'mssfix' '0'
option 'tun_mtu' '48000'
# Pushed Buffers
list 'push' 'sndbuf 393216'
list 'push' 'rcvbuf 393216'
However when I try to connect I get the following error:
Sun May 20 13:49:16 2018 OpenVPN 2.3.18 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [
PKCS11] [IPv6] built on Oct 26 2017
Sun May 20 13:49:16 2018 Windows version 5.1 (Windows XP) 32bit
Sun May 20 13:49:16 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Sun May 20 13:49:16 2018 WARNING: No server certificate verification method has
been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun May 20 13:49:16 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun May 20 13:49:16 2018 UDPv4 link local: [undef]
Sun May 20 13:49:16 2018 UDPv4 link remote: [AF_INET]86.155.19.13:1194
Sun May 20 13:49:16 2018 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)
Sun May 20 13:49:18 2018 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)
Sun May 20 13:49:22 2018 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)
Sun May 20 13:49:30 2018 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)
Sun May 20 13:49:46 2018 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)
Sun May 20 13:50:16 2018 TLS Error: TLS key negotiation failed to occur within 6
0 seconds (check your network connectivity)
Sun May 20 13:50:16 2018 TLS Error: TLS handshake failed
Sun May 20 13:50:16 2018 SIGUSR1[soft,tls-error] received, process restarting
Sun May 20 13:50:16 2018 Restart pause, 2 second(s)
Sun May 20 13:50:18 2018 WARNING: No server certificate verification method has
been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun May 20 13:50:18 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun May 20 13:50:18 2018 UDPv4 link local: [undef]
Sun May 20 13:50:18 2018 UDPv4 link remote: [AF_INET]86.155.19.13:1194
Sun May 20 13:50:18 2018 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)
If I am not mistaken this means the client wasn't able to reach to the server and connection is dropped.
On the Lede VM (OpenVPN Server) this is how the situation looks like:
br-int_switch Link encap:Ethernet HWaddr 00:0C:29:DA:E9:64
inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feda:e964/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:570 errors:0 dropped:2 overruns:0 frame:0
TX packets:985 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:58831 (57.4 KiB) TX bytes:87099 (85.0 KiB)
eth0 Link encap:Ethernet HWaddr 00:0C:29:DA:E9:5A
inet addr:172.12.0.118 Bcast:172.12.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feda:e95a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:113965 errors:0 dropped:0 overruns:0 frame:0
TX packets:105466 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12969781 (12.3 MiB) TX bytes:32789884 (31.2 MiB)
Interrupt:19 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:0C:29:DA:E9:64
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:570 errors:0 dropped:0 overruns:0 frame:0
TX packets:985 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:66811 (65.2 KiB) TX bytes:87099 (85.0 KiB)
Interrupt:18 Base address:0x2080
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:110 errors:0 dropped:0 overruns:0 frame:0
TX packets:110 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:10435 (10.1 KiB) TX bytes:10435 (10.1 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@LEDE:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.12.0.1 0.0.0.0 UG 0 0 0 eth0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-int_switch
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.12.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
172.12.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
As you can probably see, I am very bad when it comes of networking and worse firewalling. Any help will be highly appreciated.